Internal auditors love fraud: detecting it and investigating it. The majority of boards and top management expect internal auditors to dedicate a fair portion of their time to auditing for fraud and performing investigations as needed.
But should the internal audit department be responsible for detecting fraud? Should they allocate a large portion of their audit resources to engagements that focus on the risk of fraud or theft?
While I fully support internal audit involvement in investigating potential fraud, I would like to suggest that organizations need to rethink the role of internal audit in detecting fraud.
Management should be responsible for the system of internal controls, including the ability to prevent and, as necessary, detect potential theft and fraud. Internal audit should only take on any part of this management responsibility with the prior and formal approval of the audit committee. In such cases, the responsibility of internal audit should be limited (in my opinion) to a secondary role in detection while management remains responsible for the primary detection role and fully responsible for prevention.
What do I mean by a secondary role? Management should always be responsible for detection that can be performed in the normal course of business, as part of such functions as payroll, procurement, accounts payable, and inventory management where there is a greater likelihood of theft of fraud simply because of available liquid assets.
Internal audit can play a role where they are like the sweeper on a football team (soccer for Americans). They can use analytics and similar tools to sweep up any potential theft or fraud that has evaded the preventive and detective controls of management. If and when internal audit detects a fraud or theft, they should work with management to strengthen their defenses.
How much time should internal audit allocate to the detection of fraud?
In my opinion, the board and management should expect internal audit to allocate resources consistent with the risk of fraud or theft, while considering the "opportunity cost": what risk areas are they unable to address because of the time spent on fraud.
Where the risk of fraud is high, meaning that there is an unacceptable likelihood of a level of theft or fraud that would be significant to the operation of the business, internal audit should spend more time. But when there is very little likelihood of such a significant fraud or theft, it may well be appropriate to leave this area without internal audit detection in place.
It is important, when assessing fraud risk, to consider not only the immediate size of any loss of assets but also such factors as:
- The potential for a theft or fraud to impact customers, such as when finished goods inventory meant for customers is stolen, or when raw materials necessary for manufacturing are taken.
- The potential for the fraud or theft to impact financial reporting.
- Whether undetected fraud or theft is likely to grow from small beginnings into something of significant impact to the business.
- The potential impact on employee morale and the culture of the organization.
Internal audit can also contribute their expert knowledge by helping management with a fraud risk analysis. I prefer this to be a management responsibility, just as risk assessment in general is a management responsibility. But internal audit may have more understanding and be more capable at some organizations to perform the fraud risk assessment for management. This should not be kept within internal audit, but shared with — and owned by — management so they can ensure the right preventive and front-line detective controls are in place.
I think many internal audit departments spend too much time on fraud detection when it should be a management responsibility. As a result, they are limiting their ability to address risks that are far more significant to the organization’s ability to surpass its objectives and create value.
What is your view?